The importance of responsible security disclosures
We say it time and time again, because it bears repeating: ConnectWise is committed to security as a top priority. Security requires transparency. At IT Nation Connect, Patrick Beggs, our CISO, reiterated this commitment and discussed our work to build security-minded principles into all phases of our product development, service considerations, and communication processes. We know transparency about these processes will help strengthen trust with our partners, awareness in the industry, and the overall posture of the community.
We want to showcase a bit of our approach using a recent example spanning the past couple months. On October 16, 2022, ConnectWise was informed by a security researcher about a potential vulnerability, regarding an issue that could allow an attacker to spoof a relay into another host's installer in versions 22.7 and below of ConnectWise Control client. We began investigating right away and engaged with the researcher within 72 hours to connect further about the findings. On October 21, 2022, we released a remediated version of Control (22.8.10013) and referenced the changes in the product’s release notes as part of our standard practices. In alignment with our thresholds and standards, a broad-sweeping security advisory or alert was not released for this vulnerability.
As is common knowledge, best practices in the industry point to using responsible disclosure paths to avoid imposing unnecessary panic and risks across the entire community. We are still seeing several publications surrounding this research, as well as other non-disclosed issues that do not pose a threat, and are still finding the same outcome that there is no new risk beyond that of threat actors using remote control software for access, which is always present and nothing novel.
In this instance, an independent third-party firm, Huntress, has reviewed the research disclosed online publicly, connected with both the ConnectWise Product Security Response Team and the researcher. Huntress has publicly supported our assessments of the severity, confirmed the patch we released successfully remediated the reported issue. Huntress noted that they have seen social engineering and phishing attempts utilizing ConnectWise Control but agreed that they are not seeing any exploitation attempts against a potential vulnerability. The team at Huntress issued a full technical write-up of their findings and we commend them on their continued willingness to practice responsible disclosure openly and honestly and collaboratively work with us for the betterment of the community.
To be clear, at this time we have no indication the behavior reported above is being abused in the wild, and no known security incidents occurred as a result. While the issue reported may bear some resemblance to ongoing phishing and social engineering campaigns, there is no correlation between the two; our release fully resolved the issue.
Additional insight on our security approach
As ConnectWise issues updates to our products and services, it is common practice for us to reference the changes in our release notes. For security fixes that are identified as being a moderate or high risk, we also post updates to our Security Bulletins page, which features an RSS feed to subscribe to updates. Alongside our Security Advisory Council, we are exploring additional alerts to add to our communication cadence to keep partners informed of all types of security updates.
On occasion, there are industry-wide trends or topics that are tangentially related to security – even if not solely focused on an issue with our product – that we want to share with partners. We post this kind of content on our Advisories page in our Trust Center, which also features an RSS feed to subscribe to updates. For example, last week, we posted an Advisory about an increase in phishing attempts we’ve seen reported by our partners. Historically, this time of year tends to see an increase in these types of attacks across the industry, and we want to ensure our partners remain vigilant in monitoring for malicious content as threats continue to become more sophisticated. It’s important to note that while the instance we referenced in our Advisory was tied to ConnectWise Control, it was completely unrelated to the patch to the product. Phishing attempts happen far too often, and we continue to do our part to report and shut down the nefarious domains associated with attempts to convince our partners to share their credentials. If you see an attempt like this, please visit our Trust Center as a central place to manage security-related content.
Conversations online can often swirl up dialogue – which we take in stride provided it points to a safer environment for our partners. We want to take this opportunity again to remind our partners and their clients to safeguard themselves by following security best practices such as:
- Patch your systems as soon as possible by following a defined patch management process that offers timely risk remediation.
- Evaluate any compensating controls to reduce/mitigate the risk to vulnerabilities.
- Communicate with end users the paramount importance of avoiding social engineering attacks, including but not limited to phishing attacks. Be diligent. Never trust, always verify.
Transforming our Vulnerability Disclosure Program (VDP)
Earlier this year, we had the pleasure of meeting with a handful of partners where we introduced the Product Security Response Team (PSRT) here at ConnectWise. The PSRT team will be leading the charge to identify ways to improve how we gather and communicate information about product vulnerabilities to our partners.
While building on the momentum of other successful reports of effectively managed disclosures, we were in the final phases of preparing communications and updated pages when the opportunity presented itself here to provide notification of some of the changes happening within our program. We encourage you to visit our updated Vulnerability Disclosure Policy to view our set of guidelines for researchers to engage with us.
This VDP update is just the first step in the transformation of our Product Security program. Our intention is to drive transparency and continuous improvement, both large initiatives of change and incremental changes. We are confident that after we gather and understand the data and further align our internal processes, that we can promote a better experience of processing disclosures.
Moving forward together
Protecting the security of the industry is a team effort. In addition to our own efforts to review, assess, and build products and services with a security-first mindset, we encourage members of the community to responsibly disclose any issues they may come across. We’ve had the privilege of working with great partners, vendors, and researchers to ensure the highest level of security standards are followed; we look forward to continuing that tradition in the years to come. For more information, please visit our Trust Center at: www.connectwise.com/company/trust.